Legal compliance of internal and external communications are vital in regulated industries like the finance sector. When management and the compliance team asks for a Jabber IM compliance solution, they rarely mean ‘we need to store chats somewhere’.
They require a complete solution that supports the legal compliance team and ensures that the Compliance Officer in the company can reasonably demonstrate to any regulator, that safeguards, audits, privacy controls and effective search and analysis capabilities are in place, therefore regulatory requests can be answered timely (just think of the Sarbanes–Oxley Act). Today let’s examine two options for Jabber legal compliance: the PostgreSQL and the Verba way.
Two main Jabber IM compliance architectures
When your compliance team or management asks for a Jabber IM compliance solution, they rarely mean: “let’s just store those chats somewhere”. The Verba solution not only records UC sessions, but provides the organization an end-to-end solution from recording to legal holds and long term archiving.
When you need Jabber IM compliance, you have essentially two options to achieve that. Both are Cisco supported standard design:
- PostgreSQL based – sending IM transactions into an open source PostgreSQL database
- Compliance Server based – using a third-party Compliance Server (like Verba) that connects to the Cisco IM and Presence Server
Both architectures have it’s place, organizations with different requirements and different ambitions will have to decide which one fits better.
The difference: first base vs homerun
The best way to demonstrate the difference is to use a baseball metaphor (please forget other related metaphors for a minute).
Using the PostgreSQL solution is useful and when it is done, you are one step closer to IM compliance: you can point to a database that stores all your IM messages. However, that is how far you got. There a couple of more bases to cover in most organizations. Some highlights of the PostgreSQL solution:
- requires an external PostgreSQL database (Cisco provides help for setting up PostgreSQL on a Linux server in Database Setup Guide for Cisco Unified Presence)
- you configure one or more external databases per Cisco cluster (see Configuring an External Database on Cisco Unified Presence chapter in the above database setup guide)
When you connect Presence Server to the database it will create the correct database schema automatically (a great feature). Accessing the database requires direct access to PostgreSQL. There are web-based solutions to access PostgreSQL (like phpPgAdmin), however those are providing low level access and is not really suitable for your compliance team.
Compliance Server based solution with Verba
The primary Jabber IM compliance architecture in the Verba Recording System is based on a native compliance interface in the Presence Server. The standard Cisco diagram to the left shows this architecture. The compliance interface makes the following capabilities possible:
- selective recording – store only what is relevant or necessary
- compliance messages – directly injected into the message flow for your users to see
- filtering IM messages – phrase based redaction and filtering
- ethical wall – blocking IM for legal reasons
- technical blocking – blocking when recording is not available for any reason
While the current version of the Verba solution is not a full fledged ethical wall, it does have functionality for filtering, redaction and blocking.
There is more however…
Added value for legal compliance with Verba
The added value does not stop there. Having the IM sessions stored in the Verba Media Repository (essentially a compliance store) gives the following advantages:
- web based access – there is no need to write a separate web interface or directly access a Linux-based database
- access control – you define who can see what, so multiple legal teams can work in the system without privacy or compliance issues
- auditing – all access to the solution is logged
- unified access to media – when IM, voice and video are all stored into Verba, these are presented in a unified way, in a single system
- built-in data retention – a comprehensive data retention system gives your compliance teams (even across state and country borders) total flexibility in defining retention rules for subsets of your recordings, no need to write scripts
- collaboration of legal team – your legal team can collaborate on recorded IM sessions by marking, tagging them and can work in a single system to find what they need
- legal hold support – the solution supports legal hold, to ensure necessary sessions are not deleted by data retention
The solution is Windows Server and Microsoft SQL Server-based and provides built-in monitoring methods, that makes it IT-friendly.
The above functions not only provide recording, but provides the organization a secure, audited, end-to-end solution from recording through legal hold management to long term archiving. One word: homerun.
Besides these, the Verba solution also supports many methods to record all aspects and media of Cisco Unified Communications, which makes it a future proof option for any team:
- Network port mirroring (voice, video)
- Phone based RTP forking (voice)
- Gateway API (XCC) based RTP forking (CUBE, TDM) (voice)
- CUBE based RTP forking (voice, video)
- Dial-in recording (voice, video)
- Proxy based recording (voice, video)
- MediaSense integration (voice)
- Jabber Compliance Server API (IM)
This comprehensive Verba technology portfolio means the compliance team will have a hard time coming up with new requirements that are not already covered by the Verba solution (and when they do, our team reacts quickly). We call this approach, when IM, voice, video and desktop screens recording is done in a singe unified system: Collaboration Recording.
The difference between Legal Compliance and Storing Chats
When management and the compliance team asks for a Jabber IM compliance solution, they rarely mean ‘we need to store chats somewhere’. They need a complete solution that supports the legal compliance team and ensures that the Compliance Officer in the company can reasonably demonstrate to a regulator, that safeguards, audits, privacy controls and fast search and analysis capabilities are in place, therefore regulatory requests can be answered timely.